### 简要描述:
PHPYUN最新版(phpyun_v3.1.0604_gbk)SQL注入(绕过防御)
### 详细说明:
PHPYUN最新版:phpyun_v3.1.0604_gbk
文件/member/model/index.class.php
```
function resume_ajax_action()
{
include(PLUS_PATH."user.cache.php");
$table="resume_".$_POST['type'];
$id=(int)$_POST['id'];
$info=$this->obj->DB_select_once($table,"`id`='".$id."'");
$info['skillval']=$userclass_name[$info['skill']];
$info['ingval']=$userclass_name[$info['ing']];
$info['sdate']=date("Y-m-d",$info['sdate']);
$info['edate']=date("Y-m-d",$info['edate']);
if(is_array($info))
{
foreach($info as $k=>$v)
{
$arr[$k]=iconv("gbk","utf-8",$v);
}
}
echo json_encode($arr);die;
}
```
这里的$table="resume_".$_POST['type'];
没有过滤,直接进入数据库:$info=$this->obj->DB_select_once($table,"`id`='".$id."'");
跟进DB_select_once函数:
```
function DB_select_once($tablename, $where = 1, $select = "*") {
$cachename=$tablename.$where;
if(!$return=$this->Memcache_set($cachename)){
$SQL = "SELECT $select FROM " . $this->def . $tablename . " WHERE $where limit 1";
$query = $this->db->query($SQL);
$return=$this->db->fetch_array($query);
$this->Memcache_set($cachename,$return);
}
return $return;
}
```
依然没有处理,所以,这里导致注入。
因为PHPYUN使用了360webscan的规则等一些防御措施
文件/data/db.safety.php:
```
function gpc2sql($str) {
if(preg_match("/select|insert|update|delete|union|into|load_file|outfile/is", $str))
{
exit(safe_pape());
}
$arr=array(" and "=>" an d "," or "=>" ��r ","%20"=>"","select"=>"��elect","update"=>"��pdate","count"=>"��ount","chr"=>"��hr","truncate"=>"��runcate","union"=>"��nion","delete"=>"��elete","insert"=>"��nsert");
foreach($arr as $key=>$v){
$str = preg_replace('/'.$key.'/isU',$v,$str);
}
return $str;
}
```
像 and 1=1等这些会被过滤
那么使用/**/and 1+1=1和/**/and 1+1=2就能搞定了
而且这里还因为平衡权限造成了信息泄露,我们通过查询不同的表,遍历id得到所有用户的简历信息包括电话,email等信息。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201406/09222632e72432ecff13e6d630edbf2f836615cd.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/09222632e72432ecff13e6d630edbf2f836615cd.png)
没有信息返回
[<img src="https://images.seebug.org/upload/201406/09222642568c263d6cc78eaf0a7c6fed3fcea431.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/09222642568c263d6cc78eaf0a7c6fed3fcea431.png)
返回id=1的信息
通过遍历得到user()=root
京公网安备 11010502034610号
暂无评论